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(54) A cryptographic protocol for secure communications. 

@ A cryptographic communication system. The system, which employs a novel combination of public 
and private key cryptography, allows two parties, who share only a relatively insecure password,, to 
bootstrap a computationally secure cryptographic system over an insecure network. The system is 
secure against active and passive attacks, and has the property that the password is protected against 
off-line "dictionary" attacks. If Alice and Bob are two parties who share the password P one 
embodiment of the system involves the following steps: (1) Alice generates a random public key E, 
encrypts it with P and sends P(E) to Bob ; (2) Bob decrypts to get E, encrypts a random secret key R with 
E and sends E{R) to Alice ; (3) Alice decrypts to get R. generates a random challenge C A and sends R(Ca) 
to Bob ; (4) Bob decrypts to get C A , generates a random challenge C B and sends R{C At C B ) to Alice ; (5) 
Alice decrypts to get (C Al C B ), compares the first against the challenge and sends R[C B ) to Bob if they are 
equal ; (6) Bob decrypts and compares with the earlier challenge ; and (7) Alice and Bob can use R as a 
shared secret key to protect the session. 
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Background of the Invention 
Field of the Invention 



This invention relates to cryptographic communications in general and more particularly to mpfhnHc o„h 



a relatively insecure secret. 
Description of the Related Art 
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ih J^"? ° fU T WiSh tQ °° ndUCt Private and ^enticated communications. While privacy can be souaht 
through phys.cal means .t is often more efficient and effective to employ cryptographic meansTnd whTe au 

To TJrll • " * iS " nicated over a physically insecure communication c'anneMt i^ sus^Se 

the parues PPm9 ' ^ eaveSdro "> er t0 *«™ ^ "«« and to subsequently fc^S^fS 

nf rJm h n ? ert> T autha " ,ication SyS,em of MITs Pr0 ) ect Athena a "empte * solve this problem in the context 

wor3 rZ TT : ? M °- SChf0eder - " US ' n9 Encr "> tion ^Authentication in Large Net- 

works of Computers," Communications of the ACM. Vol. 21 No 12 993-999 m ef iq 7 «v a „H , of • 1 

Neumann and J... Schilier^^A^ 

Dal as, 1988. According to the Kerberos system, each Kerberos'system SSSe^i 
Que login ID and ,s allowed to choose a secret password. The password is conveyed by the user to the Ker 

bT=r^ 

S2 L„ Jl S8r H endS h ' S ° r , her PaSSW ° rd 3,009 With his or her ,D - that technique has the Oeriou ^disadvan L e 
that an eavesdropper could readily ascertain the ID and corresponding password of the user d ' SadVanta9e 

thatlanT h t 2 8 K Pmb, I ' m - Kerb6r0S SySt6m authenlic ^es the identity of the user by creating a puzzie 
that can probably be solved only by the bona fide user. The puzzle can be thought of as a loc^ box LnS 
a message, that is secured with a combination tack. The puzzle is -natructSb^K^t^SS 

Ind ZZJ*' 6 USer> kn ° Wing hiS ° r her own P*»word. can use the password to open the tack 

" s re n C0V r the messa 9 e inside - When the combination to the combination lock is randomly setacted from a 
large number of possibilities it is infeasible for an impersonator to "pick" the tack 

ates a ran7om^p U r Sed t H° ^ ^ PU22 ' e US6S Several ste <> s - Firet ' the Kerberos system gener- 

frnn^ST , meSS39e l ° be conve yed <° "*er. Next, the Kerberos system makes a ouLTe 

conta.n.ng the random number) such that the user's password is the key to solving the puzLTe and re covS 
the message. For example, suppose that according to one class of puzzles each ^puzSeTeoual TarZ2 

ZE 2^3^ ^ " ^ " Z^Z 
inn Jr^ leiSfranSmit,edt0theUSerbytheKerbeross y s tem.Cont , heuser know 

X) ZT t rou^M3T S PU f 6 reC0V6rS 'y subtracting L or he passw^ 

wh^r.hJ * k 9 subse( > uent P^les is the random number contained in the first nuzzle 

Tdli r , er ° S '"I' 6 " 1 and 3 b ° na flde US6r WOuld know - Authentication occurs implicit^when the u^er 

a » C rl d ^ SS ? n ° n t the , nomenclatur e of cryptology is appropriate at this time. Aclass of puzzles is known as 
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to lock plaint.* too ciphertext and is also used ,o unlock tha ciphart.x, ,o csoov. lha plaintext 

»«~s^ 

o k S.-~ 

man kay ,o aV^C^S»r^V^Z>T M< !" T" l0 '"' ' hey "'*» " 

L. Gong. Venf .able-text Attacks in Cryptographic Protocols, "Proc. of the E E E INFOCOM The Conf on 

lev P e, of sel^ Z C lV: e ea S ?: emo te d ey Cryf>t ° SyStem - " »» > ublic -X * * ^ any reasoned 
Summary of the Invention 

be Jeeves 'S^!!^^^^^ *" eStab,iShi " 9 and communications 

oetween parties who share only a relat.vely .nsecure secret by using an approach different from the orior art 

con d : ;LV::; s ta 9 nt T7 he ° f C ? tS reStnCti ° nS * Pri ° r ^ P-tocols. T^ SS 
orottftht hi T w ,nVenli ° n m ° re S6CUre lhan those established with the prior art and 

protect the shared secret (e.g.. a password) from being revealed to an eavesdropper 

or ml- of IT ° btai ? ed iR a " i,,U3,rative embodiment of the present invention in which a portion of one 

or more of the messages of a public key distribution system are encrypted with the shared secret as t^ .n 
S?r. .h '?,k " "IT" 1 iUUStrative emb ° di ™nt is simiiar to tZ K^^S^t^I^E 
OZZ ° ,Pher,eXt ' S mere ' y 3 rand ° m n "*« bUt 3 °< a --age of a P ub,L key dt 

Because an asymmetric key cryptosystem provides a superset of the functionality of a public kev distrib 
u , on system, public key distribution systems are construed to include asymmetric key cryptosystems w^h 
are ut.hzed to prov.de the commensurate functionality of public key distribution systems 
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Brief Description of the Drawing 



FIG. 1 presents a sequence of messages used in an illustrative embodiment of the invention that utilizes 
an asymmetnc key cryptosystem and where the first two messages are encrypted with a password 

orotecL ^nT ,t S t qU6n ?! ° f meSSa 9 es used in an illustrat ^ embodiment of the invention that provides 
protechonaga.nst attacks on the passwords when a session key has been recovered by an attacker 

FIG. 3 presen s a sequence of messages used in an illustrative embodiment of the invention where onlv 
a port.on of the initial message is encrypted with the password 'nvention where only 

10 a portion tf P ,h™, 3 SeqUenCe ° f meSS39eS US6d in a " illuSt,ative em bodiment of (he invention where only 
to a portion of the reply message is encrypted with the password 

a pu^^IT^ ° f meSSa96S US6d in a " i,IUStratiVe embodi — - <"* mention that uti.izes 
,> *^ 8 £SSSl' n aPP3ratUS th3t Uti " ZeS aSymmetric ke * cryptosystem and where the first two mes- 

15 

Detailed Description 
1. NOTATION 

20 The following notation is used throughout: 

A B The parties desiring to communicate (Alice and Bob respectively) 

^ The password: a shared secret, often used as a key. 

P » A key: typically either P or derived from P. 

pIwy\ S6Cret k6y encr yP* lon of an argument "X" with key P. 

7m SeCfet k6y decr yP tion of an argument "X" with key P. 

E A (X) The asymmetric key encryption of an argument "X" with public key E A 
tu asymmetric key decryption of an argument "X" with private key D A 

challenge A A random challenge generated by Alice. 

cha/lenge 3 A random challenge generated by Bob. 

30 R A sess| on key or a number from which a session key may be derived 

A Q Prime numbers. 

™t*cZTJlll7JT° SySt6m ?„' COnventional "yptosystem as known up until the 1970's; such sym- 

are ^^ZT^^ ^ communications which 

m^,l n l1 0dime 1 tS ° f th6 inVe " ti0n are » resented whl 'ch utilize both public key distribution systems and asvm 
CryPt °f yS T S - AS US6d in the f0l,0Wing descri " tion an * claims, "public ke aisSuto ^stemJ 
mcludes asymmetnc key cryptosystems providing the functionality of a public key distribution , system 

2. EMBODIMENTS THAT USE ASYMMETRIC KEY CRYPTOSYSTEMS 

ica i Ill?r Sa V S exchanged in an "'"active embodiment of the invention are presented in Fig 1 That tvo 
ah St T ^ S a " aSymmetric ke * cryptosystem. AUce 101 and Bob 103 are entities who desietoes" 

t.on. Al,ce ,s the calling party and Sob is the called party. Referring to Fig 1 ^ 
1. Ahce generates a random public key/private key pair, E A and D A , and encrypts E A or a portion th*™f 

InformatT P° « the de3Cribed D «* SS^tSSS Federal 

Information Process.ng Standards Publication 46, National Bureau of Standards U S Dept of 1 ' „ 
January 1 977, with password P as the key. yielding P (E A ). AUce sends ' C ° mmerCe ' 

. _ . P(E A ) (msg.109) 

to Bob as shown at 109. This message may include other information such as the identity of the sender 
or the remainder of the public key when a portion of it is not encrypted * ' 

R and encrvLte *£ZT *° ° bta '' n ^ ^ = ** B ° b then generates a ™ d ™ secret key 

° nCryPlS * the as V™ et "c key cryptosystem with key E A to produce E A (/?). This string is further 
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encrypted with P. Bob sends 

. Ar u ^a<«)) (msg.115) 

to Alice as shown at 115. 

3. Alice, knowing P and 0*. uses them to obtain D A (P~\P(E A (R))))=R 
and a o r afler ' * " nUmbGrS de " Ved ^ * bG US6d 3S 3 ke ^ ln further communications between *tfce 

2.1. Key Validation Techniques 

oirSnV^T* r aVe ! 9re ° d t0 3 k6y * " may ' in certain circumstances, be appropriate for the 

usedln J c h P ?- mak ! SUre * hat the k0y has not be9n tam P*red during tJaSssion As 
used in th.s descr,pt,on. such steps are known as key validation techniques. ™ nsm *s™- As 

2.1.1. Guarding Against Replay Attacks 

it mX h n J'T ^'T , emb0d ! ,1ent ° Utlined in Section 2 above ma V "<» be suitable for all applications because 
ofM ^ V 9Uard 39ainSl ^ attaC,fS - A re ^ attack is an attempt by an eavesdmpper who has 
ZnTL ' COmm t un,ca,,ons channe '. ««» '"sen old. stale, messages in the comlnicaUon channel Z an 11 

1. As before, the message exchange begins when 4//ce 101 sends 

to Bob 103. ^ imS9 " 9) 

25 2. Again as before, Bob, responds by sending 

f Ar P(Ea(R)) (msg. 11 5) 

to /W/ce. 

* ^nlir" 51 ° f w Sg115 cha,,en 9 e - r esponse mechanism begins. Alice decrypts msg.115 to obtain 
R, generates a random str.ng challenge, and encrypts it with R to produce R (cnaLge.) She sends 

R(challenge A ) (msg. 121) 

to Soft as shown at 121. 

irrrrs^rrr' 9enera,es a raoaom s ™ s — — • < n » - 

R(ohallenge At challenges) (msgA27) 

35 to Alice as shown at 127. 

L^alienae Wh^t ^-'h ^ C " a " e '' 3ea - ' nd C ° mpareS ,he former a 9 ainst her ear ' 

uer cnallenge. When it matches, she encrypts challenges with R and sends 

„ , R(challenge B ) {msg. 133) 

to 806 as shown in 133. 

Wh U en°it ma C tch P es° f ** * ^ a " d C0mpar6S a 9 ainst tne aa " iar c ™'-ge. 

TnvZd « f - reSponse mechanism is successful and the parties may use R. or a string 

derived from/?, as a session key in further communications 

lidat^^Forexrm^T'r 11 ' 0 " ?h k 6 embodiment above ««" be replaced by other mechanisms for va- 
« h«. P , T* C ° U,d be exchan 9 ed ^crypted by R, under the security-critical assumption 

« that clocks are monoton.c and, to some extent, synchronized. 

2.1.2 Guarding Against Recovered Session Keys 

When a eryptanalyst recovers a session key R he can use Rasa clue to attack P and E A . Fig 2 present 
? in an " ,UStrative «*««"»nt of th. invention that hinders an attack on P or E A when 
5i^iJ!2™n^rh" T lhat 3 UnaUth0rized -yP«ana.yst might recover a session key another 
Preferred embod.ment of the invention incorporates a mechanism to hinder such an attack. Referring to Fig 
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1. As before, the message exchange begins when Alice 201 sends 

P(E A ) (msg. 209) 

to Bob 203. 

2. Again as before, Bob, responds by sending 

P{E A (R)) (msg. 21 5) 
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to Alice as shown at 215. 

3. Alice decrypts msg.215 to obtain R, randomly generates a unique challenge challenge* and a random 
subkey S At encrypts the challenge and the subkey with R and sends 

R(challenge A . S A ) (mso.221) 

5 to Bob as shown at 221. 

4 Upon receipt of msg.221, Bob decrypts it to obtain challenge* and S„ generates a unique challenge 
challenges, and a random subkey S fl and encrypts the two challenges and his subkey with the secret kev 
R and sends 

R (challenge*. challenge g ,S B ) (msg.227) 

io to Alice as shown at 227. 

5. Upon receipt of msg.227 Alice decrypts it to obtain challenge* and challenges, and compares the former 
J/fceseids ear " er Cha " en9e " Whe " " malches - she encrypts challenges with R to obtain R(challenge B ). 

R (challenges) (msg.233) 

is to Bob as shown in 233. 

6 Upon receipt of msg.233. Bob decrypts it to obtain challenges and compares it to challenges of msg 227 
When ,t matches, the two parties calculate a key, S =/(S„.S a ) for some jointly known function /. S is used 
as the secret key to encrypt all subsequent exchanges and R is reduced to the role of a key exchange 
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in mSZ 7 y " 3 SOphlstlcated cryptanalyst might be able to use the presence of challenges and responses 

aZT? e T 9e V?^T t R - Whe " SUCh a " attack iS ° f COncern ' 1 he res P° nses can 136 modified to Contain 
a one-way ftjnct.cn of the challenges, rather than the challenges themselves. Thus, msg.227 could become 

R(g(challenge A ). challenge B .S A ) 
and a similar change would be made to msg.233. 

2.2 Bilateral Versus Unilateral Encryption 

m JT^" a K P ° rti °K °i b ° th ° f thS fifSt messa 9 es ^e encrypted with the password, as are msg.109 and 
£,2ir k !? PreSented above ' the embodiment incorporates what is called bilateral encryption. 
hi other illustrate embod,ments, however, bilateral encryption is not necessary. When only one of the first 

ZTZZZl^T " Ca ' ,ed Un " ateral enCryPti ° n - N ° te that there are »» of unilateral -cryp- 
Z 1L I?, l ?■ massa9es ,s e "crypted, and (2) when the second message is encrypted. Section 2 2 1 

tSZ^?S2S^STT inV6nti0n Wh6re ° n,y the fifSt meSSa9C iS -»yP« w«h the password 
and section 2.2.2 presents an illustrative embodiment where only the second message is encrypted 

2.2.1. An Illustrative Embodiment Using The RSA Asymmetric Key Cryptosystem 

tmJSSt^ rTJsT TZT ° f , in r, ti0n US6S the as * mmetric ke * «^yPtosystem known as "RSA" and 
5 m , hi • ham,^, 3nd L - Adlernan in US. Patent No. 4,405.829, issued Sept 20 1983 and in 

21 TTS^SSS EE A 9 " 3 '" 65 : Ub ' iC Cr ^ 8te -' -SaiBffl!^ 

21. No. 2, 120-26 (Feb. 1978). An overview of RSA is given before the illustrative embodiment is presented. 

2.2.1.1. An Overview of RSA 

or Ju^^ EA f ° r ^ RSA cr yP tos y stem consis ts of a pair of natural numbers <e, „. where n is the 
product of two primes p and q. and e is relatively prime to 

<f(n) = 4>(p)<M<7) ■ (p - 1)(q - 1) 
where is the Euler Totient function. It is preferred that p and o be of the form 2p' + 1 and 2 q' + 1 respec- 
tively, where p' band a' are primes. The prh,ate decryption key d is calculated such that 

ecfe1(mod(p- 1)(q- 1)). 
A message m is encrypted by calculating: 

cs/77 e (modn); 

the cipher text c is decrypted by 

/n=c rf (modn). 
2.2.1.1. An Illustrative Embodiment Using RSA 

Fig. 3 presents the messages exchanged in an illustrative embodiment of the invention that uses the RSA 

6 



BNSDOCID: <EP 0535863A2_I_> 



EP 0 535 863 A2 



30 



35 



40 



45 



50 



55 



asymmetric key cryptosystem. Referring to Fig 3- 

number and musl be sem in Ih 0 clea T 0 .nT„^r ^ k """^"l '* disl.ngtiishable from a ra „dom 

, D . p (e),n (msg. 309) 

to 8oo as shown at 309. 

* . ... , Ea(R) (msg.315) 

to /W/ce as shown at 31 5 

2.2.2. An Illustrative Embodiment Using the El Gamal Asymmetric Key Cryptosystem 

on Js^iSgTrltZ^EE E ^anseS "* C ^ tos y slem a <* - ^nature Scheme Based 

An m. / \- anmms, l^e. Trans actions on Information Thenry v/ni 31 469-72 fJulv iqa*\ io.,o^- 

2.2.2.2. An Overview of the El Gamal Asymmetric Key Cryptosystem 

to do W so e Whfn d X2n^^2^. m ^ (6 - 9 - R) t0M ' Ce - S ° 6muSt notif ^ hat h * d --« 

C,=a R a (modp), 

gnd K =(a** (modp))** (modp)sa'V*. (modp) 

T . R K(modp) 

The encrypted message that Bob sends to Alice consists of the pair < Cl c 2 > 

Alice, knowing and a«* (modp) decrypts the message to recover'/? by calculating 

(modp))** (modp)=a^ a (modp) 

and then dividing c 2 by K. 

2.2.2.3. An Illustrative Embodiment Using the El Gamal Cryptosystem 

The messages exchanged in an illustrative embodiment of the invention that uses the El Gamal asvm 

a"- (modp) (msg.409) 

sender.** " 3h ° Wn " 4 ° 9 ' ™ iS meSS39e m3y inC ' Ude ° ther Nation such as the identity of the 
2. When Bob receives msg.409 he generates a random number R e such that a". (modO) is randomlv ^ 

sTsiz: the interval I0,p - 1] - Bob a,s ° 9enera,es a random sessi - **y * - coZuteir^z^: 

P(a««» (modp), /? a**"e (modp)) (msg.4 1 5) 
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to AUcq as shown at 415. 

3. Alice, knowing P recovers a** (modp) and consequently R. After receipt of msg.415, one of the key va- 
lidation techniques may be begun. Thereafter, R, numbers derived from R, or a number derived from a 
validation technique can be used as a session key. 

2.5 Security Considerations 

2.5.1 Partition Attacks 

The principal constraint on any embodiment is t hat encryptions using P must leak no information For some 
cryptosystems this is difficult. For example, the public keys in RSAare always odd. When no special precau- 
tions are taken, an attacker could rule out half of the candidate values P when P-'(P(e)) is an even number 
Upon first inspection, this is an unimportant reduction in the key space: however, when left uncorrected it 
//can compromise the security of the embodiment. As used in this description, the term "key space" is the range 
of possible cryptographic keys. When the key space is large an unauthorized cryptanalyst attempts to "reduce 
the key space" or eliminate impossible cryptographic keys. By the process of elimination the cryptanalyst can 
when given sufficient clues such as the one shown above, reduce the key space down to reveal the actual 
key. 

Recall that each session uses a different public key, independent of all others previously used Thus trial 
decryptions resulting in illegal values of e' exclude different values of P each time. In other words each 'time 
a session key is negotiated an attacker can partition the remaining candidate key space into two approximately- 
equal halves. The keyspace is thus logarithmically reduced; comparatively few intercepted conversations will 
suffice to reject all invalid guesses at P. This attack is called a partition attack. 

For some cryptosystems. a minimal partition may be acceptable. Consider a situation where integers mod- 
ulo some prime p must be encrypted with P. When n bits are used to encode p. trial decryptions yielding values 
in the range [p, 2"- 1] can be used to partition the password space. However, when p is close to 2" perhaps 
even 2" - 1, few candidate passwords are excluded by each session. Consequently, p equal to 2"- 1 is preferred 
while conversely values of p far from 2" - 1 are not preferred. 

Another danger comes from trying to encrypt a number with a cryptosystem that demands a blocksize 
larger than the number. The blocksize of a cryptosystem is the amount of plaintext that the cryptosystem can 
encrypt in a single encryption. The number should be padded with random data to bring the total strinq ud to 
the blocksize of the cryptosystem. 

Note that both problems may be eliminated in one operation. Again, assume that one is encrypting integers 
modulo p. Further assume that the desired input encryption block size is m bits where 2"> >p. Let 



<7 = 



2' 



P 



The value q is the number of times p fits into the encryption block size. Therefore choose a random value 
ye [0, q - 1] and add/p to the input value using non-modulo arithmetic (when the input value is less than 2™ - 
gp, use the .nterval [0, q) instead). The recipient, knowing the modulus, recovers the decrypted value to the 
proper range by dividing the input plus jp by p and taking the remainder. 

3. ILLUSTRATIVE EMBODIMENTS THAT USE PUBLIC KEY DISTRIBUTION SYSTEMS 

An illustrative embodiment of the invention uses the public key distribution system known as "Diffie-Hell- 
man and taught by M.E. Hellman, W. Diffie and R.C. Merkle in U.S. Patent No. 4,200,770 April 29 1980 
and in W Diffie and M.E. Hellman. "New Directions in Cryptography, " I.E.E.E. Transactions '™ Info Theory ' 
Vol. 22, No. 6 (Nov. 1976). L 

3.1. An Overview of Drff ie-Hellman 

Diffie-Hellman is not a cryptosystem. It is, however, a mechanism for publicly generating a secure key (e q 
a session key) for a symmetric cryptosystem. Briefly, Alice and Bob each pick random exponents R A and r' 
Assuming they agree on a common base a and modulus p, Alice computes a*, (modp) and Bob computes ««. 
(modp). Each party transmits their computed quantity in the clear to the other party. Alice, knowing R A and 
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a** (modp), computes 

c . .. , „ u , /fe(a«. (modp))** (modp)aa"-". (modp). 

Similarly, Sob, knowing R B and a** (modp) computes 

*=(a«4 (modp))*a (modp)sa*-". (modp). 

that D,ff,e-Hellman does not provide authentication and is therefore vulnerable to active wiretaps ' 
3.2. An Illustrative Embodiment Using Diff ie-Kellman 

10 

.... rciTsr^'c^r i — " - - * — - 

, 1 ,„H™""" 9 K , ' a 'o /, " Ce . 501 a "" 806 503 *•"•• on a C ° mm °" "»•• « and modulus p mm oen,rates . 

- rss,- rCnd^idf (mMB * ™ b * — »> »~ 

P(a**(modp)) (rosg.509) 
usefCf info rtSEn" ^ ^ ^ " " "* (m ° dp) ' S ra " d0m and 9-sses at P will yield no 

2. Similarly. Boo generates a random number R B and sends 
20 .... , P(a"»(modp) (msg.515) 

to^flZTT. " 51S - At '?* P ° im b ° th A,iCe and Sob know both ("»d« and ««. (modp) and can 
therefore calculate a session key as shown in Section 3.1. Additionally, one of he key vaHdatfon tecSnJ 
ques may be commenced once a common value is computed by both Alice and Bob 

25 3.3. Bilateral Versus Unilateral Encryption I 

Typically both messages of the Diffie-Hellman public key distribution system are not encrypted Unilateral 
encryption, the encryption of a portion of at least one of the messages of the Diff^-HeMman oubiic kev d f 
MHibon system will assure privacy and authentication. Therefore, referring to Fig 5 iUs possiMe SoZTe 
so encrypt.cn of either one. but not both, of the messages in Fig. 5. For example. i^SJS^SS! by 

a«4(modp) 

Alternatively msg.515 can be replaced by 

a R e (modp) 

rt^rrln? """^k' encrypti0n Wvw the security of the system means that one pair of encryptions and 

time hose^o ^ and d6Crypti0n C3n require substantial computing resources S 

time those resources can be omitted and time can be saved. «uu»-es ana 

3.4 Choosing a and p 

a and p can be chosen from among different values, each of which choices reflects a tradeoff between 
cost and secunty. Although there are a number of possible choices for the modulus, large p^e lallTof l 
su e chTh?t SeCUre ' Furtherm0re ' k is desirab,e that « ba a P^«ve "ot of the field OF tf) wZ , pt choseS 

^^z^^^zr v2 = p such va,uas = ^ they are easy * ^ 

It is somewhat problematic for Alice and Boo to agree to common values for a and p without revealino in- 
formation to an attacker. P (P ) cannot be transmitted because testing a random number for pr mal b too easy 
In one embodiment, a and p are fixed and made public. This embodiment has the advantage that here i no 
2 j£ , ak39e ° r Par,iti ° n att3CkS - The disadva ^9e is that implementation become less f exfble 

^mlt beT a T hT 6 T 8UCh : aluea - A fart h « ^-advantage to making p public is that to maintain securi^' 
p must be large which in turn makes the exponentiation operations expensive V ' 

w 0 rH S pT C ° mPr ° miSe in ,he ,en9,h ° f lhS modulus is P° ssible - h ° we ^r. Because in the embodiment the pass- 
word P ,s used to superencrypt such values; it is not possible to essay a discrete logarithm calculation exceot 

ixpe sTe Us^OOb 2 ? ^IKV^ l ° 36,601 » ** P SUf ' iCie " 1 «° ™ ke a « a * a ^ 

r z^r are^^tt:™ 6 ,o9arithm so,utions are estimated ,o iake — — — 

Another consideration inclines one towards larger moduli, however. When the user's password is com- 

9 
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o dZvt^ J h Xp0 "T S 68 aVailab,e t0 lhe attacker; these ' whe " solved - wi " P^mi. reading of 
old conversations. When a large modulus value is chosen, all such conversations would remain secure 

rc *' z * ' equiremen u ts for P are derived from a desire to prevent calculations of discrete logarithms in the field 

fefeS is h T a ' 9 ° rithmS ** Ca,CU,ations amounts of precalculation. Whin a d f 

feren p ,s used each t,me. an attacker cannot build tables in advance; thus, a much smaller, and hence cheaper 
modulus can be used. Therefore, in the preferred embodiment Alice generates random values of p and « and 
fransm,ts them ,n cleartext during the initial exchange. There is little security risk associated with an attacker 
knowing these va.ues; the only problem would be with cut-and-paste attacks. And even this r sk is m nima 
H. r °?K Certa ' n Che ° kS 10 9Uard 39ainSt eas ^-^'vab.e choices: that p is indeed prime t™fs 
a tor andfhir 06 "? SUSCeptibie ,<J precalcu,ation °< ««««). that P-1 have at least one la ge prime 
™!7L f ? Pnm,tlVe r ° 0t ° f GF (P) - The lat,er two c °"d'tions are related; the factorization of ^ 

' as active ZnJJ th b6e " 3b ° Ut Ch00Si " 9 But whe " a suitable va,ue of * is cho ""- « * chosen 
; n ^ S ° ! ' ^ 13 "° r6aSOn " 0t t0 examine the inte 9 ers starli "9 with 2; the density of primitive 
roots guarantees that one will be found quite quickly. ™ primitive 

4. THE CRYPTOSYSTEMS 
2<J 4.1. Selecting a Symmetric Key Cryptosystem 

Symmetric key encryption is used three times in various embodiments: to encrypt the initial asvmmetric 

the ram?" 96 ' Cha " en9eS and responses - ™« * P*** the ensuing applin sesll I /gene a. 

the same symmetric key cryptosystem can be 'used at all three points 

.J^h 61 "? 11 ^^ Themes- 
sages advantageously should not use any other form of tagged data representation 

to mlh VL « mb ° dim f nts . original plaintext message should not contain any non-random paddinq 
to match the encryption blocksize, nor any form of error-detecting checksum Protection aoainst <Zmunt? 

mav S b e e rr r f ^ * l0WeMayer PrOtOC0,S - Whi,e C » pher bl °<* ii^^^ZS. 

may be employed to tie together multiple blocks and hinder cryptanalytic attacks such mechanta™, »r« ^ 

of t^e messaged a " en9e/reSPOnSe m6Chanfem Pr ° VideS the —ry defense against ^CSS 
ingofTe^ 

sage^^Suo^lrh: direCti r h ° ther a ' ternatiVe inC ' Ude emP '° yin9 messa ^ e ^Tor adtgmeS 
sage authentication codes, however, these may introduce redundancy undesirable in the face of a cr JLn* 

" SZS; h SUCh 8i ! » ti0n !' the one -^-tion S mentioned in Section 2.1.2 may be ^erab.^ 

Finally, the use of R ,n the ensuing login session must not reveal useful Informatton abS R When ih. 
system ,s cryptanalyzed and when R is recovered, the attacker can then rnouS ^.X^S^ 

Zee ZZ 9 l TtelZ, Urth r° re - "™ ^ ^ b apP ' icable <° protec < in ° a ^ « ion £ 
itat ThT-H CaUt ' 0US ' and examine the P^ticular symmetric system under the assumption 

4.2 Selecting an Public Key Distribution System 

In principle, any public key distribution system can be used including Merkle's Puzzles R C Merkle 
cure Communications Over Insecure Channels." Communications of the ACM. Vol 2 ^294-99 (Ap igTSMn" 
practice, some systems may be ruled out on practical grounds. Fo7ex7mp]e7a systemfhat usidmanyTarge 
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didate password by retrieving the session kly W ° U,d a "° W 3n attacker to validat * ■ can- 

sinci'eTr^rs 

necessitates both parties to go thrSugn theTec o f a Jn^ ^ * concea,ed - Unfortunately, the option 

.size modulus required. The wSh2JS^T P,TO nUmber8, a ' beit Wh ' le S3Vin 9 on the 
arithm problem are found. recons,denng when very fast solutions to the discrete log- 

5. THE APPARATUS TO CARRY OUT THE MESSAGE EXCHANGE 

-J^X2£ ThtTmo^ *** « ~" - - message exchange 

perform any embodiment of the invention * 3 person navin 9 ordinary skill in the art to 

epuipme^ 

private and authenticated c^SSX^S rZ « 9 To" lhe ,ike 6 °°' and desire to es *^.ish a 
-4/fce and flob. Alice comprises a Smitte 6u2 L r f e P ' S S '° red ,n 3 re 9 ister or the >*• h> both 

key generator 605 which generates a Dublir JmH =, „ T T' 1 n ® transm,tter 6 °2 contains an asymmetric 
key encryptor607. The symmeWc ke fSS^wJ^T^^ ^ *** " P3SSed l ° 3 Symmetric 
key. or a portion thereof with S^2S^JfI^7° 8Pl> 33 secret Pan " "crypto the public 

is passed from the symmetric key S^^^^"™;*"^ meSS3ge - The 
a receiver 610 in Sob encr VP'or 607 to a commun.cahons channel 609 where it is transmitted to 

inpuu^™ 

The public key is passed to the transmitter 620 ilESK^S * *" ^ ^ 

an asymmetric key encryptor 617 and a svmmp Jl compnses a symmetric key encryptor 616. 

erates a random symmefrfkey which is JasZ o^elZT- T Tha k °> ^^ator 61 * en- 

cryptor 61 7 also accepts as input t he puWic kev from t hi? «7 61 7 " Tne ass V™tric key en- 

the public key to form'an enc7yp ed keT^h ^S^^Z^TS^ ^ ^ 

which also accepts as input the secret P whl« tZ 11, > ! f s y mmetric ke V encryptor 616. 

form a response n*J^££^'££I?l ZIZ\ *Z* ^ With the secret P to 

3 " ^ 613. The 

message to recover the encrypted key and oasse ^S toThe as ^ 'TT T^ 9 *' deCryp,S the res P° nse 
key decryptor 613 also accepts as input the private kev £ZZZ Tk " ^ The 

« uses it to decrypt the encrypted kev to rJrrl^ * ? f ° m lhe as y mmelric key generator 605 and 
metric key decryptor 61 ^S^^B^S^T^' 1*1 " P3S8ed fr ° m the ^ 

metric key to Bob's key vaNdator^ the key generator 61 8 passes the sym- 

with either via a^ru"^ 

toe key ie lo assure llral neither Alic. no, jm» ... J.™ ca " ,ne s r™netnc key. The puipose of validating 
» may have discovered , hi "ec Z P " '""" i,s ° ni " e ' 1 * » "".o.horized eavesdropper who 

*//ce over communications channel fi?Q y m furlher communications with 
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6. APPLICATIONS 
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,.r I k^m u ' he ,nVenti0 " C3n be USed for secure P ub,ic ^lephones. When someone wishes to use a 
secure pub.,c telephone, some keying information will typically be provided. Conventional solutions require that 

word nu[ uT« 6SS ' P Kf ,Ca ' Emb ° dimen,s of »» '—"on permits use of a short, keypad-ente ed pass 
word, but uses a much longer session key for the call 

in th^nl™? °I the P K 6S , ent inVenti ° n Ca " b8 US6d Wi,h Ce " U,ar ^ephones. Fraud has been a problem 
Zntlton J L h * em , b ° d,ments of then can de 'end fraud (and ensure the privacy of the call) by 

rendenng a telephone useless when a PIN or other key has not been entered. Since the PIN or other key is 
not stored w.th.n the telephone, it is not possible to retrieve one from a stolen unit 

Riv«:r fl b n°H 'H? ° f th „ e J nventl ° n a,so P rovidea replacement for Rivestand Shamir's /nfer/ocfc Protocol. R.L 
S (1984) " W a " EaVeSdr ° Pper -" Communications of the ACM. Vol. 27. No. 4. 39^ 
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1 Ct^^CTERIZED^V^the :^ p 7 0 - mmU " icati0 " S beb — a P'-Hty of parties who share a secret, 
sending a first message of a public key distribution system to a party and 
IL 6 ^-" 9 ? > SeCO - nd meSSa9e ° f the PUb " C k8y distribution ^tem in response to the first message; 

3 ' L h rr wi h H° d ° f daim 1 . Wh ! rei " 31 le3St 3 POrti ° n ° f b0th the f irst messa 9 e and the second message are 
encrypted in a symmetric key cryptosystem. 

4 ' Iryp^ste d m 0f C ' aim ' Wherei " "* " COnd *<* ™ SSa 9* S ° f a ^ ^ 

5. The method of claim 1 wherein the first message and the second message are used to obtain a session 

6. The method of claim 5 further comprising the step of: 

validating the session key. 

<o ^ SiK&£S^£ s^cu, communications between a piura.ity of parties who share a secret, 
receiving a first message of a public key distribution system from a party and 
send.ng a second message of the public key distribution system in response to the first messaae- 
the secirara key 381 3 POr,i ° n * m6SSa9e ^ "» ^ « ^JSt 

45 

8 ' ™T th0d ° f C T? 7 Wh6rein * l6aSt 3 POrti ° n ° f 31 least one of 1 he f irst "essage and the second mes- 
sage are encrypted in a symmetric key cryptosystem with the secret as a key. 

9. The method of claim 7 wherein at least a portion of both the first message and the second messaae are 
so encrypted in a symmetric cryptosystem with the secret as a key. me second message are 

10 ' c?ypto^em° f ? °* ** ***** ^ meSS39e are messa 9 es of a ^ ^ 

55 key meth ° d ° f C ' aim 7 Wherein thS f ^ meSSa9e and lhe Second messaoe are use d to obtain a session 

12. The method of claim 11 further comprising the step of: 

12 
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validating the session key. 

13> S:3^^S25E h> S6CUre C ° mmUniCati0nS b — a *"* " P-ies who share a secret. 

means 6^2 for !T3? 3 ' meSS39e ° f 8 pubHc key "taWbuMon system to a party; and 
the first message- " 9 " """" ma " M9e ° f the pubHc ke ' dist ' ibuti °" in response to 

•nJZ^ZZlSSZ. " a ,eas ' one °' *" messa9e - "» —* — «• - - 

10 

16 ' 1 3 """**" "" """ mess »^ — - ™».»~ c . 

18. The apparatus of claim 17 further comprising: 

means 619 for validating the session key. 

25 ZlZ^sZZZT S6CUre COmmUniCati ° nS b — a ■«* ^ Parties who share-a secret. 

means 61 0 for receiving a first message of a public key distribution system from a party- and 
first message °' Send ' n9 3 """" ° f th6 PUb " C *** ^™ response"' the 

wherein at least a portion of at least one of the first message and the second message are en- 
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20. The apparatus of claim 19 wherein at least a portion of at least one of the first messaae and th* «ap««h 
message are encrypted in a symmetric key cryptosystem with the secretas a key ° ^ 

21. The apparatus of claim 19 wherein at least a portion of both the first message and the second 

are encrypted in a symmetry key cryptosystem. d messa 9 e 

M ' 2?55^^ 19 Wher6in meSS39e 3nd the S6C0nd messa ^ « of a public 

23. The apparatus of claim 1 9 wherein the first message and the second message are used to obtain a session 

24. The apparatus of claim 23 further comprising: 

means for validating the session key. 
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FIG. 3 
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FIG. 5 
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